Date: Tue, 16 Mar 2021 23:46:27 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: tech-lists <tech-lists@zyxst.net>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Getting started with ktls Message-ID: <YQXPR0101MB096806853D2F666D892B983BDD6B9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <YFDwrtagYb8xllVp@ceres.zyxst.net> References: <CAOtMX2ggNtsEQz7TinyHciqsgzUSjcdvMDb1oORKHtMBnzTELw@mail.gmail.com> <20210311003136.GM56617@kduck.mit.edu> <CAOtMX2iKtBAQWRzY1K9twAFrtdH=S559J6Zd%2Bm5D-YHHPVYf7g@mail.gmail.com> <20210311031501.GP56617@kduck.mit.edu> <CAOtMX2hApCJuTe8OqEJmjrj9vffLB%2BM%2Bc5qR=iPrhRnbeZf=jQ@mail.gmail.com> <YQXPR0101MB096899D3D2241D0D6D830227DD909@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YE4kM3euujJw9saZ@ceres.zyxst.net> <CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ@mail.gmail.com> <YQXPR0101MB0968DA8912890879ECB7C35BDD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <YFDwrtagYb8xllVp@ceres.zyxst.net>
next in thread | previous in thread | raw e-mail | index | archive | help
J. wrote:=0A= >On Sun, Mar 14, 2021 at 08:55:18PM +0000, Rick Macklem wrote:=0A= >>Alan explains how to set it up, below.=0A= >>However, I thought I'd note that maybe one person has tested KTLS=0A= >>on arm64, so you should consider doing this for test purposes only.=0A= >>If you do do some testing, please post with your results,=0A= >>success or failure.=0A= >>=0A= >>>It's present in current kernels for both 13 and 14, amd64 and aarch64.= =0A= >>>However, it's not present in 13's openssl. To use it, you must either= =0A= >>>rebuild world with WITH_OPENSSL_KTLS=3DYES in /etc/src.conf,=0A= >=0A= >>Doing it this way means that everything linked to OpenSSL will use=0A= >>it. Probably a better testsituation, but expect at least the apache=0A= >>server to break. (Most breakage was fixed by a recent patch to the=0A= >>serf library, but I think the apache server is still broken.=0A= >=0A= >OK, it's been built and all ports recompiled and reinstalled. Things=0A= >that use openssl on this machine are mutt (imaps) lynx (https) and=0A= >nginx (https) and py-certbot. They all seem to work. How would I test?=0A= Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working,= =0A= you should see the count for at least one of the "crypts" ticking up.=0A= If they are all zero, it isn't working. That might depend on the apps=0A= or setup and does not necessarily indicate broken.=0A= =0A= Trying the nfs-over-tls should definitely test it. When it works, the=0A= data on the wire after the first couple of Null RPCs is encrypted.=0A= Also, if you start the daemons with "-v", then it will log how the=0A= handshake etc. goes in /var/log/daemon.log.=0A= =0A= rick=0A= =0A= thanks,=0A= --=0A= J.=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB096806853D2F666D892B983BDD6B9>